bindfs

Mount a directory with same permissions

$ sudo bindfs [path/to/directory] [path/to/mount_point]

$ sudo bindfs --map=[user1]/[user2] [path/to/directory] [path/to/mount_point]

$ sudo umount [path/to/mount_point]

bindfs [OPTIONS] ORIGINAL_DIR MOUNT_POINT
bindfs --help
bindfs --version

--uid <uid>, -u <uid>
    Sets the owner UID for all files and directories visible through the mount point.

--gid <gid>, -g <gid>
    Sets the owner GID for all files and directories visible through the mount point.

--perms <permissions>, -p <permissions>
    Sets the permissions for all files and directories. Can be octal (e.g., 755) or symbolic (e.g., u=rwX,go=rX).

--create-for-user <user>, -m <user>
    Specifies the user (by name or UID) who will own newly created files and directories.

--create-for-group <group>, -M <group>
    Specifies the group (by name or GID) which will own newly created files and directories.

--create-perms <permissions>, -P <permissions>
    Sets the permissions for newly created files and directories (octal or symbolic).

--user-map <from_uid>/<to_uid>
    Maps a specific UID from the original directory to a different UID at the mount point. Can be specified multiple times.

--group-map <from_gid>/<to_gid>
    Maps a specific GID from the original directory to a different GID at the mount point. Can be specified multiple times.

--force-user <user>
    Forces all files and directories to be owned by the specified user (name or UID), overriding any other user rules.

--force-group <group>
    Forces all files and directories to be owned by the specified group (name or GID), overriding any other group rules.

--mirror-only
    Makes the bindfs mount read-only and ensures that the visible owner, group, and permissions exactly mirror the underlying files.

--allow-recursion
    Allows mounting a bindfs over another bindfs mount point, enabling layered transformations.

-o <options>
    Passes comma-separated FUSE-specific options directly to the FUSE kernel module (e.g., allow_other, default_permissions, ro).

-f
    Runs bindfs in the foreground; it will not daemonize.

-d
    Enables debug output, showing detailed FUSE operations.

-h, --help
    Displays usage information and exits.

-V, --version
    Displays version information and exits.

bindfs is a powerful FUSE (Filesystem in Userspace) program that allows you to create a virtual view of an existing directory. Unlike a standard mount --bind operation, bindfs can dynamically alter the permissions, ownership, and other file attributes of the content as seen through the mount point, without modifying the original files or directories. This makes it invaluable for scenarios where you need to present different access rights or ownerships for a set of files to different users or applications. For instance, a web server might require read-only access to specific files, while the original files need write access by an administrator. bindfs acts as an on-the-fly translator, intercepting filesystem operations and applying configured rules. It's commonly used in shared development environments, web hosting, or to bridge permission discrepancies between host systems and containerized applications. It provides flexibility and enhanced security by allowing fine-grained control over how a directory's contents appear to users accessing it via the bindfs mount.

Performance Overhead: Being a FUSE filesystem, bindfs introduces a slight performance overhead compared to direct filesystem access or native mount --bind operations, as every file operation is intercepted and processed in userspace.
Virtual, Not Actual Changes: The permission and ownership changes applied by bindfs are only virtual; the original files and directories on the underlying filesystem remain untouched. This distinction can sometimes lead to confusion if users access the original path directly.
ACLs: bindfs primarily works with traditional Unix permissions. While it attempts to translate ACLs to an extent, it might not provide full ACL functionality or perfect mapping for complex scenarios.
Requires FUSE Module: The FUSE kernel module must be loaded on the system for bindfs to function correctly.

• Web servers: Providing restricted read-only access to web roots while developers maintain write access to original files.
• Shared development environments: Allowing multiple users with different UIDs/GIDs to collaborate on the same codebase, where bindfs normalizes permissions.
• Containerization: Bridging permission mismatches between host volumes and container expectations (e.g., a container user 'nginx' with UID 101 needs access to host files owned by 'root' or a different UID).
• Security hardening: Presenting a directory with more restrictive permissions to a specific application or service.

bindfs operates as a FUSE filesystem. When you mount a directory with bindfs, it acts as an intermediary. Any attempt to access files or directories through the bindfs mount point is intercepted by the bindfs process. This process then consults its internal rules (configured via command-line options) and presents a modified view of the underlying files' attributes (permissions, ownership, etc.) to the requesting application or user. The actual files on the original filesystem remain unchanged. When a write operation occurs, bindfs translates it back to the original filesystem, respecting its rules for new file creation or attribute modification if configured.

bindfs was created by Martin F. Krafft and first released around 2008. It emerged to address a significant limitation of the standard mount --bind command, which allows binding a directory to another location but does not provide any means to modify the attributes (like permissions or ownership) of the files visible through the new mount point. bindfs filled this gap by leveraging the FUSE framework, enabling user-space manipulation of filesystem attributes. Its development provided a flexible solution for scenarios requiring permission translation on the fly, quickly becoming a go-to tool for specific system administration and development environment needs.

mount(8), fuse(4), chmod(1), chown(1), ls(1)